A private network, such as an enterprise network, typically includes a number of interconnected network devices, including desktop computers, laptop computers, slate or tablet computers, mobile phones (including so-called “smart phones”), servers, routers, hubs, and switches. Each of the network devices may be assigned a layer-three (L3) network address that uniquely identifies each of the network devices within the private network. In some instances, the network devices may employ the L3 network address when communicating with a public network, such as the Internet. However, using the L3 network address to communicate with the public network may expose the topology of the private network to malicious persons, such as so-called “hackers.” Knowledge of the topology of the private network may enable these malicious persons to formulate attacks that target vulnerabilities of the private network.
To prevent malicious persons from discovering the topology of the private network, network administrators may deploy one or more network security devices, such as firewall devices, at the edges of the private network to perform a technique referred to as network address translation (NAT) that masks the topology of the private network. To perform NAT, each of the one or more network security devices map the L3 network address assigned to each of the network devices of the private network with a L3 network address assigned to the corresponding one of the one or more network security devices. To differentiate each of the network devices of the private network from each other, the network security devices assign a different source port to each of the network devices of the private network. Upon receiving a packet or other network communication from the network devices of the private network, the network security device replaces the L3 network address assigned to the network devices (e.g., a source L3 network address specified in the header of the packet) with the L3 network address assigned to the network security device while also replacing the source port specified in the header of the packet with the source port assigned by the network security device to the network device. In this way, all packets or other communications originating from the private network appear to originate from the network security device rather than each of the individual network devices of the private network, thereby masking the topology of the private network.
While NAT may provide an effective security measure for masking the topology of the private network, the network security devices have to perform NAT on each and every packet originated by the network devices of the private network. In large private networks, the network security devices may have to perform NAT on a large volume of packets often in very short amounts of time. Performing NAT on such large volumes of packets may overwhelm network security devices, resulting in delay when forwarding packets to their intended destinations in the private network. Moreover, when a large number of packets are required to be processed for NAT in short time durations, the network security devices may fail, potentially compromising the security of the private network.